It is now its own thing – not a subset of WAF or gateway capabilities. The report states:

“API security can be implemented as an independent layer that sits between the application and the firewall to protect APIs from attacks such as cross-site scripting (XSS), SQL injection, parameter manipulation and other types of web app attacks…The need for API security will increase in importance over time. As more applications are built on top of APIs, it becomes increasingly important to secure these interfaces with dedicated protection mechanisms
https://t.co/hwzzWRFo4u